/
Record Analyzer Interface

Record Analyzer Interface

Owned by andrew johnston (Unlicensed)
Last updated: May 14, 2015
The Record Analyzer widget appears when the widget is added to the workspace.



Description:

Use the Record Analyzer to to gain insights into structured records such as logs.  This enables analysis of "record" objects.

 

FieldDescriptionNotes
Widget label 
When records are ingested, there are two modes: "streaming: true", and "streaming: false"
 The "View Live" and "View Saved" toggle buttons on the widget toolbar toggle between viewing of these two modes.
 

The "Community Filter" toggle is by default "Off" meaning that the list of communities in the main GUI is ignored. If "On", only currently selected communities are scanned.

Note that the "refresh button" in the top right of the Kibana view must currently be pressed after changing the toggle.

 

The data types viewed can be selected using the three "Show:" toggles:

 Logs: Show records harvested using the Logstash extractor

Custom: Shows the results of custom jobs that have been configure with "$output.indexMode": "custom"

 The custom fields get given "_type": "custom", and "sourceKey": <"custom:" then the custom job title>

 Docs: Shows a subset of "normal" documents. 



 

Add Doc QueryAdds the query from the GUI to the Record Analyzer query bar. 

About the Kibana GUI

Note that it is out of scope of this documentation to define the fields of the Kibana GUI.  For more information, see the Kibana documentation.

Only the following fields are (currently) visible in the "Table" view (eg "All Events"):

FieldDescriptionNote
"message"from the title 
@timestamp"from publishedDate 
"url"  
"displayUrl"  
"tags"  
"type" from mediaType 


 Entities and associations use "nested" fields, which Kibana does not currently support.

 Fields configured to be non-indexed by the harvester (eg Search index settings pipeline element) cannot be viewed

About Kibana Dashboards

In the Kibana widget all users can see all dashboards. The Community Edition version is more restrictive:

Dashboards are stored as shares that can be edited/shared/deleted from the File Uploader.

"Live" dashboards are only visible in "live" mode, and similarly for "Saved"

When a dashboard is first saved, it is shared across all currently selected communities and for the given live/stashed mode.

 

 

Related User Documentation:

Record Analyzer

 

Related content